In this assignment, you will perform a qualitative risk assessment, using a template that has been provided below. Your last assignment in the course will be to take one of these risks and develop a section for your Incident Response Plan or Disaster Recovery Plan that address that risk.
1. Groups will work on a risk assessment using one of the agencies as assigned, below:
|Organization||Link to Audit Reports||Groups|
|National Aeronautics and Space Administration (NASA)||http://oig.nasa.gov/audits/reports/FY10/IG-10-018-R.pdf||1, 8, 15|
|Veterans Administration (VA)||http://www.va.gov/oig/pubs/VAOIG-12-01712-229.pdf||2, 9, 7|
|Securities and Exchange Commission (SEC)||http://www.sec.gov/about/offices/oig/reports/audits/2013/512.pdf||3, 10|
|Office of Personnel Management (OPM)||https://www.opm.gov/our-inspector-general/reports/2016/federal-information-security-modernization-act-audit-fiscal-year-2016-4a-ci-00-16-039.pdf||5, 12, 14|
You will read through the report and look for findings and recommendations from the GAO’s audit of the agency’s security practices. Your job will be to develop a risk assessment from these findings to assess the likelihood and impact. A listing of threats has been prepopulated for you. These threats have been categorized by type as shown below:
|Threat Origination Category||Type Identifier|
|Threats launched purposefully||P|
|Threats created by unintentional human or machine errors||U|
|Threats caused by environmental agents or disruptions||E|
Purposeful threats are launched by threat actors for a variety of reasons and the reasons may never be fully known. Threat actors could be motivated by curiosity, monetary gain, political gain, social activism, revenge or many other driving forces. It is possible that some threats could have more than one threat origination category.
Some threat types are more likely to occur than others. The following table takes threat types into consideration to help determine the likelihood that vulnerability could be exploited. The threat table shown in Table 2-2 is designed to offer typical threats to information systems and these threats have been considered for the organization. Not all of these will be relevant to the findings in your risk assessment, however you will need to identify those that are.
|ID||Threat Name||Type ID||Description||Typical Impact to Data or System|
|T-1||Alteration||U, P, E||Alteration of data, files, or records.||Modification|
|T-2||Audit Compromise||P||An unauthorized user gains access to the audit trail and could cause audit records to be deleted or modified, or prevents future audit records from being recorded, thus masking a security relevant event. Also applies to a purposeful act by an Administrator to mask unauthorized activity.||Modification or Destruction||Unavailable Accurate Records|
|T-3||Bomb||P||An intentional explosion.||Modification or Destruction||Denial of Service|
|T-4||Communications Failure||U, E||Cut of fiber optic lines, trees falling on telephone lines.||Denial of Service|
|T-5||Compromising Emanations||P||Eavesdropping can occur via electronic media directed against large scale electronic facilities that do not process classified National Security Information.||Disclosure|
|T-6||Cyber Brute Force||P||Unauthorized user could gain access to the information systems by random or systematic guessing of passwords, possibly supported by password cracking utilities.||Disclosure||Modification or Destruction||Denial of Service|
|T-7||Data Disclosure||P, U||An attacker uses techniques that could result in the disclosure of sensitive information by exploiting weaknesses in the design or configuration. Also used in instances where misconfiguration or the lack of a security control can lead to the unintentional disclosure of data.||Disclosure|
|T-8||Data Entry Error||U||Human inattention, lack of knowledge, and failure to cross-check system activities could contribute to errors becoming integrated and ingrained in automated systems.||Modification|
|T-9||Denial of Service||P||An adversary uses techniques to attack a single target rendering it unable to respond and could cause denial of service for users of the targeted information systems.||Denial of Service|
|T-10||Distributed Denial of Service Attack||P||An adversary uses multiple compromised information systems to attack a single target and could cause denial of service for users of the targeted information systems.||Denial of Service|
|T-11||Earthquake||E||Seismic activity can damage the information system or its facility. Please refer to the following document for earthquake probability maps http://pubs.usgs.gov/of/2008/1128/pdf/OF08-1128_v1.1.pdf .||Destruction||Denial of Service|
|T-12||Electromagnetic Interference||E, P||Disruption of electronic and wire transmissions could be caused by high frequency (HF), very high frequency (VHF), and ultra-high frequency (UHF) communications devices (jamming) or sun spots.||Denial of Service|
|T-13||Espionage||P||The illegal covert act of copying, reproducing, recording, photographing or intercepting to obtain sensitive information .||Disclosure||Modification|
|T-14||Fire||E, P||Fire can be caused by arson, electrical problems, lightning, chemical agents, or other unrelated proximity fires.||Destruction||Denial of Service|
|T-15||Floods||E||Water damage caused by flood hazards can be caused by proximity to local flood plains. Flood maps and base flood elevation should be considered.||Destruction||Denial of Service|
|T-16||Fraud||P||Intentional deception regarding data or information about an information system could compromise the confidentiality, integrity, or availability of an information system.||Disclosure||Modification or Destruction||Unavailable Accurate Records|
|T-17||Hardware or Equipment Failure||E||Hardware or equipment may fail due to a variety of reasons.||Denial of Service|
|T-18||Hardware Tampering||P||An unauthorized modification to hardware that alters the proper functioning of equipment in a manner that degrades the security functionality the asset provides.||Modification||Denial of Service|
|T-19||Hurricane||E||A category 1, 2, 3, 4, or 5 land falling hurricane could impact the facilities that house the information systems.||Destruction||Denial of Service|
|T-20||Malicious Software||P||Software that damages a system such a virus, Trojan, or worm.||Modification or Destruction||Denial of Service|
|T-21||Phishing Attack||P||Adversary attempts to acquire sensitive information such as usernames, passwords, or SSNs, by pretending to be communications from a legitimate/trustworthy source.
Typical attacks occur via email, instant messaging, or comparable means; commonly directing users to Web sites that appear to be legitimate sites, while actually stealing the entered information.
|Disclosure||Modification or Destruction||Denial of Service|
|T-22||Power Interruptions||E||Power interruptions may be due to any number of reasons such as electrical grid failures, generator failures, uninterruptable power supply failures (e.g. spike, surge, brownout, or blackout).||Denial of Service|
|T-23||Procedural Error||U||An error in procedures could result in unintended consequences. This is also used where there is a lack of defined procedures that introduces an element of risk.||Disclosure||Modification or Destruction||Denial of Service|
|T-24||Procedural Violations||P||Violations of standard procedures.||Disclosure||Modification or Destruction||Denial of Service|
|T-25||Resource Exhaustion||U||An errant (buggy) process may create a situation that exhausts critical resources preventing access to services.||Denial of Service|
|T-26||Sabotage||P||Underhand interference with work.||Modification or Destruction||Denial of Service|
|T-27||Scavenging||P||Searching through disposal containers (e.g. dumpsters) to acquire unauthorized data.||Disclosure|
|T-28||Severe Weather||E||Naturally occurring forces of nature could disrupt the operation of an information system by freezing, sleet, hail, heat, lightning, thunderstorms, tornados, or snowfall.||Destruction||Denial of Service|
|T-29||Social Engineering||P||An attacker manipulates people into performing actions or divulging confidential information, as well as possible access to computer systems or facilities.||Disclosure|
|T-30||Software Tampering||P||Unauthorized modification of software (e.g. files, programs, database records) that alters the proper operational functions.||Modification or Destruction|
|T-31||Terrorist||P||An individual performing a deliberate violent act could use a variety of agents to damage the information system, its facility, and/or its operations.||Modification or Destruction||Denial of Service|
|T-32||Theft||P||An adversary could steal elements of the hardware.||Denial of Service|
|T-33||Time and State||P||An attacker exploits weaknesses in timing or state of functions to perform actions that would otherwise be prevented (e.g. race conditions, manipulation user state).||Disclosure||Modification||Denial of Service|
|T-34||Transportation Accidents||E||Transportation accidents include train derailments, river barge accidents, trucking accidents, and airlines accidents. Local transportation accidents typically occur when airports, sea ports, railroad tracks, and major trucking routes occur in close proximity to systems facilities. Likelihood of HAZMAT cargo should be determined when considering the probability of local transportation accidents.||Destruction||Denial of Service|
|T-35||Unauthorized Facility Access||P||An unauthorized individual accesses a facility which may result in comprises of confidentiality, integrity, or availability.||Disclosure||Modification or Destruction||Denial of Service|
|T-36||Unauthorized Systems Access||P||An unauthorized user accesses a system or data.||Disclosure||Modification or Destruction|
The risk analysis for each vulnerability consists of assessing security controls to determine the likelihood that vulnerability could be exploited and the potential impact should the vulnerability be exploited. Essentially, risk is proportional to both likelihood of exploitation and possible impact. The following sections provide a brief description of each component used to determine the risk.
This risk analysis process is based on qualitative risk analysis. In qualitative risk analysis the impact of exploiting a threat is measured in relative terms. When a system is easy to exploit, it has a High likelihood that a threat could exploit the vulnerability. Likelihood definitions for the exploitation of vulnerabilities are found in the following table.
|Low||There is little to no chance that a threat could exploit vulnerability and cause loss to the system or its data.|
|Medium||There is a Medium chance that a threat could exploit vulnerability and cause loss to the system or its data.|
|High||There is a High chance that a threat could exploit vulnerability and cause loss to the system or its data.|
Impact refers to the magnitude of potential harm that could be caused to the system (or its data) by successful exploitation. Definitions for the impact resulting from the exploitation of a vulnerability are described in the following table. Since exploitation has not yet occurred, these values are perceived values. If the exploitation of vulnerability can cause significant loss to a system (or its data) then the impact of the exploit is considered to be High.
|Low||If vulnerabilities are exploited by threats, little to no loss to the system, networks, or data would occur.|
|Medium||If vulnerabilities are exploited by threats, Medium loss to the system, networks, and data would occur.|
|High||If vulnerabilities are exploited by threats, significant loss to the system, networks, and data would occur.|
The risk level for the finding is the intersection of the likelihood value and impact value as depicted the table depicted below. The combination of High likelihood and High impact creates the highest risk exposure. The risk exposure matrix shown in the table below presents the same likelihood and impact severity ratings as those found in NIST SP 800-30 Risk Management Guide for Information Technology Systems.
Risk Assessment Results
This section documents the technical and non-technical security risks to the system. Complete the following risk assessment table, ensuring that you have addressed at least 10 risks. You will be graded on your ability to demonstrate knowledge that the risks are relevant to the company you have identified, as well as that the security controls are appropriate to the controlling the risks you have identified.
The following provides a brief description of the information documented in each column:
· Identifier: Provides a unique number used for referencing each vulnerability in the form of R#-Security Control ID.
· Source: Indicates the source where the vulnerability was identified (e.g., System Security Plan or Audit.)
· Threat: Indicates the applicable threat type from the table of threats..
· Risk Description: Provides a brief description of the risk.
· Business Impact: Provides a brief description of the impact to the organization if the risk is realized.
· Recommended Corrective Action: Provides a brief description of the corrective action(s) recommended for mitigating the risks associated with the finding.
· Likelihood: Provides the likelihood of a threat exploiting the vulnerability. This is determined by applying the methodology outlined in Section 3 of this document.
· Impact: Provides the impact of a threat exploiting the vulnerability. This is determined by applying the methodology outlined in Section 3 of this document.
· Risk Level: Provides the risk level (high, Medium, low) for the vulnerability. This is determined by applying the methodology outlined in Section 3 of this document.
Your deliverables, as a team, will consist of the following 2 documents (and presentation):
1. You will complete and submit the following completed table for grading.
|Identifier||Source||Threat ID||Risk Description||Business Impact||Recommended Corrective Action||Likelihood||Impact||Risk Level|
T-8, T-23, T-24,
|Notification is not performed when account changes are made.||The lack of notification allows unauthorized changes to individuals who elevate permissions and group membership to occur without detection.||Enable auditing of all activities performed under privileged accounts in GPOs and develop a process to allow these events to be reviewed by an individual who does not have Administrative privileges.||Medium||Medium||Medium|
2. You will prepare a presentation in which your team presents 1) overview 2) summary of findings 3) drill down on the high risks – discuss why you felt they presented a greater risk to the agency 4) Recommendations for all of your significant findings (don’t worry about the low ones). 5) Research a technical solution (a product), that can help the agency “get healthy”. Describe (in your own words, not the vendor’s words) how the tool can help solve the risk it is intended to address.